Omni-channel end-point security

ABSTRACT

An Omni-channel security manager is provided. The Omni-channel security manager is configured to: receive selections for domain/channel specific security applications and deploy security agents to end-point devices. The security agents interact with the Omni-channel security manager to install, initiate, manage, and monitor the domain/channel specific security applications on the end-point devices.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.15/957,379, filed Apr. 19, 2018, which application and publication isincorporated herein by reference in its entirety.

BACKGROUND

Security is of utmost concern across all industries. A day does not goby without a major announcement that some company has had a data breachand customers' confidential information was compromised. Companies arenow facing legal scrutiny for inadequately providing security to protectelectronic assets.

Security is even a greater concern for Self-Service Terminals (SSTs,such as Automated Teller Machines (ATMs)) that dispense currency tocustomers. An ATM, if compromised, can be depleted of currency or canexpose customers' account information.

The issue for enterprises is that each domain or communication channelthat the enterprise engages in business through requires its own uniquesecurity processing. Such that, a security product in one domain isunusable and not portable to a different domain; the different domainutilizes its own separate and unique security product.

This problem is confounded because security must exists end-to-end forany enterprise domain. That is, security is needed for any particularenterprise domain: on the customer-facing device, through any networkconnection of the customer-facing device, and the back-end server thatcommunicates over the network connection with the customer-facingdevice.

Maintaining all these security products is expensive and laborintensive, requiring many skilled technicians for likely each domain ofthe enterprise. Additionally, security breaches can result in downtimefor customer-facing devices, which means revenues can be adverselyimpacted because customer are unable to access the enterprise devicesduring a downtime.

Therefore, what is needed is improved Omni-channel (domain) end-pointsecurity for enterprises.

SUMMARY

In various embodiments, methods and a system for Omni-channel end-pointsecurity are presented.

According to an embodiment, a method for Omni-channel end-point securityprocessing is presented. More particularly, a selection is received fora security application and an end-point device. The security applicationis configured for the end-point device as a domain/channel specificsecurity application for a domain/channel associated with the end-pointdevice. A security agent is deployed to the end-point device, thesecurity agent installs and initiates the domain/channel specificsecurity application on the end-point device.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of a system for Omni-channel end-point securityprocessing, according to an example embodiment.

FIG. 2 is a diagram of a method for Omni-channel end-point securityprocessing, according to an example embodiment.

FIG. 3 is a diagram of another method for Omni-channel end-pointsecurity processing, according to an example embodiment.

FIG. 4 is a diagram of another system for Omni-channel end-pointsecurity processing, according to an example embodiment.

DETAILED DESCRIPTION

FIG. 1 is a diagram of a system 100 for Omni-channel end-point securityprocessing, according to an example embodiment. The various componentsare illustrated and the arrangement of the components is presented forpurposes of illustration only. It is to be noted that other arrangementswith more or less components are possible without departing from theOmni-channel end-point security teachings presented herein and below.

The techniques, methods, and system presented herein and below forOmni-channel end-point security processing can be implemented in wholeor in part in one, all, or some combination of the components shown withthe system 100. The techniques and methods are programmed as executableinstructions in memory and/or non-transitory computer-readable storagemedia and processed on one or more processors associated with thevarious components.

As used herein the terms “customer,” “consumer,” and “user” may be usedsynonymously and interchangeably.

As used herein the phrases “Omni-channel,” refers to processing thatextends across multiple communication channels or processing domains.The channels can include communication and processing on: a Self-ServiceTerminal (SST), an Automated Teller Machine (ATM), a kiosk (travel,restaurant, hotel, grocery store, retailer, etc.), a Point-Of-Sale (POS)terminal operated by a clerk to checkout a customer at an enterprise, amobile device operated by a customer, a server, a cloud processingenvironment, and the like.

The system 100 includes: a server 110 having an Omni-channel securitymanager 111 and a plurality of devices 120 and 130, each device 120 and130 operating over a specific communication channel or domain. Eachdevice 120 and 130 including a security agent 121 or 131 and a pluralityof security applications 122 or 132. The system 100 also includes aplurality of enterprise services 140, each enterprise server 140including a security agent 141, security applications 142, and asecurity interface 142.

The Omni-channel security manager 111 is configured to deploy thesecurity agents 121 and 131 to the devices 120 and 130, respectively.The security agents 121 and 131 independently enforce security on theirrespective devices 120 and 130 and interact with the Omni-channelsecurity manager 111 for enforcing security when interacting with theserver 110 and enterprise servers 140.

Initially, the security interface 142 is operated by enterprisepersonnel to identify the security applications 122, 132, and 141 and toidentify devices 120 and 130 with the Omni-channel security manager 111.The security interface 142 permits selection from a plurality ofsecurity applications to be made; the selection identifies the securityapplications 122, 132, and 142. Each security application (122, 132,142) representing a specific type of desired end-point security beingrequested by the enterprise through the security interface 143.

The plurality of security applications available for selection as thesecurity applications (122, 132, and 142) can include, by way of exampleon: device hardening (lock down menu, operations, and windows selectableand viewable from the devices 120 and 130), application/devicewhitelisting (security that is based on an identifier for a validapplication/device (which can process or access the devices 120 and 130)being present in a whitelist file on the devices 120 and 130), devicehard disk encryption, Binary Input/Output System (BIOS) remote andsecure management including remote BIOS updating, operation ortransaction validation through hashing algorithms and validation, andany other available security application being used or desired by theenterprise over the devices 120 and 130 and the domains (channels).

It is noted that in some instances the security applications 122 and 132process on a processor of a peripheral device that is integrated into orinterfaced with the devices 120 and 130. For example, a cash dispenserintegrated into an ATM (device 120 or 130) that utilizes a customtransaction-based hashing algorithm for transactions to validate adispense command to dispense currency from a safe of the ATM. Thehashing algorithm and validation processing representing a particularsecurity application 122 or 132.

The security interface 142 also permits the enterprise personnel toconfigure the security applications 122, 132, and 142, such as forgenerating encryption and decryption keys processed by the securityapplications 122, 132, and 142. Configuration can also identify whereinin a process flow the security applications 122, 132, and 142 are toenforce their security on the devices 120, 130, and 140. For example,processed when the device boots, as a pre-boot process within the BIOS,when a specific operation is attempted to be processed, during atransaction process flow, etc.

Once the security applications 122, 132, and 142 are selected andconfigured through the interface 143, the Omni-channel security manager111 causes the security agents 121, 131, and 141 to be deployed andinstalled on the devices 120, 130, and 140. Once deployed, each securityagent 121, 131, and 141 interacts with the Omni-channel security manager111 to obtain the security applications 122, 132, and 142 and installthe security applications 122, 132, and 142 on their respective devices120, 130, and 140.

The security agents 121, 131, and 141 also report security auditinformation, receive updates to the application 122, 132, and 142 fromthe Omni-channel security manager 111, and monitor the applications 122,132, and 142.

The security agents 121, 131, and 141 may also be responsible fordynamically checking the digital signatures or checksum valuesassociated with each of the applications 122, 132, and 142 processing ontheir respective devices 120, 130, and 140. The security agents 121,131, and 141 can remove any application 122, 132, and 142 from memory ofthe devices 120, 130, and 140 when signatures or checksum values areunable to be validated and shutdown operation of other processes on thedevices 120, 130, and 140. In some situations, if checksum or signaturesare corrupted and depending on the security application 122, 132, and142, the agents 121, 131, and 141 may shut down the device 120, 130, and140.

It is noted that an enterprise may also obtain (as mentioned above)security applications 142 for its servers 140 through the securityinterface 143 and the Omni-channel security manager 111.

Each endpoint device 120, 130, and 140 of an enterprise can customselect, custom configure, and custom deploy desired securityapplications 122, 132, and 142. The security applications 122, 132, and142 are monitored and managed by the security agents 121, 131, and 141.

The system 100 allows an enterprise to custom manage and deploy securityapplications 122, 132, and 142 across a plurality of channels/domains(120, 130, and 140) with a single point of management through theOmni-channel security manager 111. This can substantially reduceenterprise staff and expense associated with maintaining enterprisesecurity and permit security products (applications 122, 132, and 142)to be properly configured and deployed to different enterprise channelsor domains through the Omni-channel security manager 111. Thus, securityapplications 122, 132, and 142 can be leveraged and used across domains(Omni-channel).

These embodiments and other embodiments are now discussed with referenceto the FIGS. 2-4 .

FIG. 2 is a diagram of a method 200 for Omni-channel end-point securityprocessing, according to an example embodiment. The software module(s)that implements the method 200 is referred to as an “Omni-channelsecurity manager.” The Omni-channel security manager is implemented asexecutable instructions programmed and residing within memory and/or anon-transitory computer-readable (processor-readable) storage medium andexecuted by one or more processors of a device. The processor(s) of thedevice that executes the Omni-channel security manager are specificallyconfigured and programmed to process the c Omni-channel securitymanager. The Omni-channel security manager has access to one or morenetworks during its processing. The networks can be wired, wireless, ora combination of wired and wireless.

In an embodiment, the Omni-channel security manager is the Omni-channelsecurity manager 111.

In an embodiment, the device that executes the Omni-channel securitymanager is the server 120.

In an embodiment, the device that executes the Omni-channel securitymanager is a plurality of servers logically organized as a cloudprocessing environment.

At 210, the Omni-channel security manager receives a selection for asecurity application and an end-point device. This can be through aninterface with an enterprise server that is associated with theend-point device.

According to an embodiment, at 211, the Omni-channel security managerprovides, through an interface, a list of available securityapplications to a remote server (operated by a user). The Omni-channelsecurity manager identifies the selection through the interface based onactions taken by the user at the remote server.

At 220, the Omni-channel security manager configures the securityapplication for the end-point device as a domain/channel specificsecurity application for a domain/channel associated with the end-pointdevice.

In an embodiment, at 221, the Omni-channel security manager configuresthe domain/channel specific security application for custom encryptionand decryption processing.

In an embodiment, at 222, the Omni-channel security manager configures aprocess flow for activation of the domain/channel specific securityapplication on the end-point device. This was discussed above with thedescription of the FIG. 1 and the system 100.

In an embodiment, at 223, the Omni-channel security manager configuresthe domain/channel specific security application to provide BIOSsecurity on the end-point device.

In an embodiment, at 224, the Omni-channel security manager configuresthe domain/channel specific security application for activation on theend-point device as a pre-boot process before or during initiation of aBIOS on the end-point device.

At 230, the Omni-channel security manager deploys a security agent tothe end-point device. Once deployed and initiated on the end-pointdevice, the security agent installs and initiates the domain/channelspecific security application on the end-point device.

In an embodiment, at 231, the Omni-channel security manager configuresthe security agent for authenticating back to the Omni-channel securitymanager from the end-point device and communicating securely with theOmni-channel security manager from the end-point device.

In an embodiment of 231 and at 232, the Omni-channel security managerconfigures the security agent to process custom encryption anddecryption when communicating with the Omni-channel security manager.

In an embodiment, at 233, the Omni-channel security manager configuresthe agent to receive and install updates to the domain/channel specificsecurity application that are received from the Omni-channel securitymanager.

In an embodiment, at 234, the Omni-channel security manager configuresthe security agent to enforce a security policy based on monitoring ofthe domain/channel specific security application.

In an embodiment, at 235, the Omni-channel security manager configuresthe security agent to report monitoring information gathered by thesecurity agent for the domain/channel specific application back to theOmni-channel security manager.

In an embodiment of 235 and at 236, the Omni-channel security managerprovides the monitoring information to a remote server associated withthe end-point device.

FIG. 3 is a diagram of another method 300 for Omni-channel end-pointsecurity processing, according to an example embodiment. The softwaremodule(s) that implement the method 300 is referred to herein as a“security agent.” The security agent is implemented as executableinstructions and programmed within memory and/or a non-transitorycomputer-readable (processor-readable) storage medium that executes onone or more processors of a device. The processors of the device arespecifically configured to execute the security agent. The securityagent has access one or more networks; the networks can be wired,wireless, or a combination of wired and wireless.

In an embodiment, the security agent is one of: 121, 131, and 141.

In an embodiment, the device that executes the security agent is one of:device 120, device 130, and device 140.

Multiple independently custom configured instances of the security agentprocess within a networked environment. Each instance of the securityagent responsible of a single end-point device of the networkenvironment and configured for a domain/channel associated with thatsingle end-point device.

The security agent is initially deployed by the Omni-channel securitymanager 111 or the method 200 to the device (channel or domain) that thesecurity agent is responsible for monitoring and managing security on.

At 310, the security agent obtains a domain/channel specific securityapplication from an Omni-channel security manager, such as theOmni-channel security manager 111 and/or the method 200.

At 320, the security agent installs and initiates for execution thedomain/channel specific application on an end-point device (the samedevice that is executing the security agent).

At 330, the security agent enforces a security policy based onmonitoring of the processing associated with the domain/channel specificsecurity application. The security policy defining monitored informationcaptured for the domain/channel specific security application andprocessing actions that the security agent is to process in responsethereto.

In an embodiment, at 331, the security agent reports monitoringinformation defined in the security policy back to the Omni-channelsecurity manager. The monitoring information is captured as thedomain/channel specific security application processes on the end-pointdevice.

In an embodiment, at 332, the security agent receives a request formonitoring information associated with the processing of thedomain/channel specific security application and responsive to therequest, the security agent provides the monitoring information to theOmni-channel security manager and/or an enterprise server associatedwith the end-point device (this is an on-demand request for themonitoring information processed by the security agent).

According to an embodiment, at 340, the security agent continuouslyverifies a digital processing signature or a checksum value for thedomain/channel specific security application. This was discussed abovewith the FIG. 1 and the system 100.

In an embodiment of 340 and at 341, the security agent processes anaction on the end-point device when the digital processing signature orthe check sum value does not match an expected signature or an expectedvalue for the domain/channel specific security application. The actionis defined in the security policy. This can include a variety of actionsdiscussed above with the FIG. 1 and the system 100, such as shuttingdown the end-point device, killing the processing instance of thedomain/channel specific security application and the like.

In an embodiment, at 350, the security agent installs an update to thedomain/channel specific security application that is dynamicallyreceived from the Omni-channel security manager.

FIG. 4 is a diagram of another system 400 for Omni-channel end-pointsecurity processing, according to an example embodiment. The componentsof the system 400 are programmed and reside within memory and/or anon-transitory computer-readable medium and execute on one or moreprocessors of the devices of the system 400. The system 400 also hasaccess and can communicate over one or more networks; and the networkscan be wired, wireless, or a combination of wired and wireless.

The system 400 is configured and programmed to perform the processingdiscussed above with the FIGS. 1-3 .

The system 400 includes a server 401 having an Omni-channel securitymanager 402 and at least one end-point device 403 having a securityagent 404.

In an embodiment, the server 401 is the server 120.

In an embodiment, the server 401 is a part of a cloud processingenvironment.

In an embodiment, the Omni-channel security manager 402 is theOmni-channel security manager 111.

In an embodiment, the Omni-channel security manager 402 is the method200.

In an embodiment, the at least one end-point device 403 is one or moreof devices 120, 130, and 140.

In an embodiment, the security agent 404 is one of: security agents 121,131, and 141.

In an embodiment, the security agent 404 is the method 300.

The Omni-channel security manager 402 executes on at least one hardwareprocessor of the server 401 and is configured to: (i) receive aselection to a security application for the at least one end-pointdevice 403, (ii) configure the security application as a domain/channelspecific security application associated with a domain/channelassociated with the at least one end-point device 403, and (iii) deploythe security agent 404 to the at least one end-point device 403.

The security agent 404 is executes on at least one hardware processor ofthe at least one end-point device 403 and is configured to: (i) obtainthe domain/channel specific security application from the Omni-channelsecurity manager 402 once deployed to the at least one end-point device403, (ii) initiate the domain/channel specific security application onthe at least one end-point device 403, and (iii) enforce a securitypolicy in response to monitoring processing of the domain/channelspecific security application on the at least one end-point device 403.

In an embodiment, the at least one end-point device 403 is one or moreof: a SST (ATM, etc.), a POS terminal, a kiosk (travel, kitchen,restaurant, hotel, etc.), a mobile device, a network-voice enabledappliance, and a device that is part of the Internet-Of-Things (IoTs).

It should be appreciated that where software is described in aparticular form (such as a component or module) this is merely to aidunderstanding and is not intended to limit how software that implementsthose functions may be architected or structured. For example, modulesmay be illustrated as separate modules, but may be implemented ashomogenous code, as individual components, some, but not all of thesemodules may be combined, or the functions may be implemented in softwarestructured in any other convenient manner.

Furthermore, although the software modules are illustrated as executingon one piece of hardware, the software may be distributed over multipleprocessors of a single device, or in any other convenient manner.

The above description is illustrative, and not restrictive. Many otherembodiments will be apparent to those of skill in the art upon reviewingthe above description. The scope of embodiments should therefore bedetermined with reference to the appended claims, along with the fullscope of equivalents to which such claims are entitled.

In the foregoing description of the embodiments, various features aregrouped together in a single embodiment for the purpose of streamliningthe disclosure. This method of disclosure is not to be interpreted asreflecting that the claimed embodiments have more features than areexpressly recited in each claim. Rather, as the following claimsreflect, inventive subject matter lies in less than all features of asingle disclosed embodiment. Thus the following claims are herebyincorporated into the Description of the Embodiments, with each claimstanding on its own as a separate exemplary embodiment.

The invention claimed is:
 1. A method, comprising: receiving a selectionthat identifies a security application, a domain/channel, and anendpoint device; configuring a process flow of the security applicationto identify within the process flow where a security operation is to beenforced by the endpoint device during transaction process flows fortransactions processed on the endpoint device over the domain/channel;deploying a security agent to the endpoint device that initiates thesecurity application on the endpoint device; and monitoring the securityapplication for the domain/channel during the transactions.
 2. Themethod of claim 1, wherein receiving further includes providing a listof available security applications for inclusion in the selectionthrough an interface, wherein the list comprises device hardeningoperations, application/device authorized operations byapplication/device identifiers, and device hard disk encryptionoperations.
 3. The method of claim 2, wherein receiving further includesidentifying the endpoint device as a peripheral device interfaced to adifferent device as a peripheral of that different device.
 4. The methodof claim 3, wherein configuring further includes receiving encryptionand decryption keys through the interface and further configuring thesecurity application for encryption and decryption utilizing theencrypting and decryption keys.
 5. The method of claim 2, whereindeploying further includes configuring the security agent to receive andto process updates made to the security application on the endpointdevice.
 6. The method of claim 5, wherein deploying further includesconfiguring the security agent to check a digital signature of thesecurity application.
 7. The method of claim 6, wherein deployingfurther includes configuring the security agent to remove the securityapplication from the endpoint device when the digital signature of thesecurity application cannot be verified by the security agent.
 8. Themethod of claim 1, wherein deploying further includes configuring thesecurity agent to report security audit information for the securityapplication and the domain/channel for use in the monitoring.
 9. Themethod of claim 1, wherein deploying further includes configuring thesecurity agent to shutdown the endpoint device when the digitalsignature of the security application cannot be verified by the securityagent.
 10. The method of claim 1 further comprising, processing thereceiving, the configuring, the deploying, and the monitoring as asingle point of management of an enterprise for the security applicationof the domain/channel and other security applications associated withother domains/channels.
 11. A method, comprising: providing an interfaceto an enterprise; receiving a security application associated with adomain/channel and an endpoint device of the enterprise through theinterface; receiving a location within a process flow of the securityapplication that a security operation is to be processed through theinterface during transactions processed within transaction flows on theendpoint device over the domain/channel; configuring the process flow ofthe security application to process the security operation for thetransactions on the endpoint device over the domain/channel; configuringa security agent to install and activate the security application on theendpoint device; and deploying the security agent to the endpointdevice.
 12. The method of claim 11 further comprising, monitoring thetransactions of the domain/channel through the security application. 13.The method of claim 11, wherein configuring the security agent furtherincludes configuring the security agent to dynamically receive andinstall updates to the security application on the endpoint device. 14.The method of claim 11, wherein configuring the security agent furtherincludes configuring the security agent to verify a digital signature ofthe security application during boots of the endpoint device.
 15. Themethod of claim 11, wherein configuring the security agent furtherincludes configuring the security agent to capture audit information forthe security application and to report the audit information.
 16. Themethod of claim 11, wherein configuring the security agent furtherincludes configuring the security agent to remove the security agent andshutdown the endpoint device when the security agent is unable to verifya digital signature for the security application.
 17. The method ofclaim 11 further comprising, monitoring the security application duringthe transactions over the domain/channel through reporting by thesecurity agent.
 18. The method of claim 17 further comprising,instructing the security agent to update and re-initiate the securityapplication based on the monitoring.